Set Login Restrictions to protect Cisco IOS Routers & Switches

Set Login Restrictions to protect Cisco IOS Routers & Switches

While no security is fool proof, it is important that we do as much as we can to ensure maximum protection on our netowrk devices like Routers and Switches. Cisco IOS has enhanced Login restriction features which can control login attempts to it. This includes time delay between failed login attempts, block period after a set of failed login attempts and audit logs of successful and failed login attempts.

These login restrictions provides more control and make it that more harder for unauthorised accesses and prevent against Dictionary based DoS attacks. To start of with,

Block Logins after failed attempts

From the Global configuration mode enter the login block-for command to block login attempts to the Cisco Router and Switches for a set period after a preset number of failed login attempts in a specified period of time.

ciscorouter# conf t

ciscorouter(config)# login block-for 300 attempts 3 within 60

Here we block all login attempts (except for the exception ACL list which we will see a few lines down) for 300seconds (5mins) after 3 failed login attempts with 60 seconds (1min). This blocking period is called "Quiet mode"

Set Login Delays

We can enforce a time delay after a failed login attempt. As soon as the "login lock-for" option is set, this automatically kicks in with the default value of 1 second. However, this can manually changed to anything upto 10 seconds.

ciscorouter(config)# login delay 10

Here we set a delay of 10 seconds after a failed login attempt.

Set Quiet Mode Exception ACL

While we enforce a blocking period after successive failed login attempts, we can configure an Exception Access list of hosts or networks. These hosts or networks will be able to login to the router even in the quiet mode.

ciscorouter(config)# login quiet-mode access-class 10

Where 10 is the ACL

Audit Logs on Failed and Successfule login attempts

To enable logging after failed login attempts

ciscorouter(config)# login on-failure log

This logs every time there is a failed login attempt. We can customize the number of failed attempts after which the message is logged.

ciscorouter(config)# login on-failure log 3

The above logs the failed attempts after 3 successive failure.

Similarly, successful logins can be logged as well

ciscorouter(config)# login on-success log

or

ciscorouter(config)# login on-success log 5

To display the Login configuration status

Simply do a

ciscorouter# sh login

A default login delay of 10 seconds is applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps.

Router enabled to watch for login Attacks.

If more than 3 login failures occur in 60 seconds or less, logins will be disabled for 300 seconds.

Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds.

Denying logins from all sources.

To only display failed login attempts

ciscorouter# sh login failure

Information about login failure's with the device

Username Source IPAddr lPort Count TimeStamp

admin1 192.168.1.1 23 1 21:52:49 UTC Sun Mar 9 2008

someone 192.168.1.2 23 1 21:52:52 UTC Sun Mar 9 2008

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

3 Comments

A good article, but it’s worth mentioning that the “login” command syntax tree isn’t available in a lot of IOS versions, perticularly the older versions on routers and switches. Version IOS 12.3 and up as far as I know are alright.